It is no secret that the government and, more broadly, the public sector have a history of challenges when it comes to attracting and retaining technical talent, including cybersecurity. While this issue isn’t uniquely specific to the public sector, with ISC2’s latest workforce study still showing 2.72 million vacant cybersecurity roles, the public sector does tend to struggle more than others. Another study by the U.S. Department of Commerce found 40,000 vacant public sector cyber roles.
Other alarming statistics include the reality that only 3% of federal IT workers are under 30. There are 16 times more federal IT workers over 50 than under 30. This issue however isn’t new, with reports going back nearly a decade documenting the public sector’s challenge to recruit and retain cyber talent. In this article, we will discuss some of those challenges as well as some of the national security and social services concerns associated with them.
Federal Approach to the Cyber Workforce
The federal space has been aware of issues with its approach to the cyber workforce for some time. Going back to 2015, the Office of Personnel and Management (OPM) helped with what was called the Federal Cybersecurity Workforce Assessment Act. It called upon the federal government to conduct cyber workforce planning. This included aligning roles with the National Initiative for Cybersecurity Education (NICE) framework and also identifying and reporting on critical roles through 2022.
Building on this, other organizations have also studied and highlighted just how important cybersecurity is for the public sector workforce. In its whitepaper on the topic, the Cyberspace Solarium Commission (CSC) shared its findings that one in three public-sector jobs sit open.
4 Challenges of Public Sector Hiring & Retention
Some of the common problems plaguing the public sector when it comes to hiring and retention of cyber talent include:
- Lower compensation than peers in the private sector
- Location restrictive policies that don’t facilitate widespread remote work
- Antiquated technologies and processes
- Painfully lengthy hiring timelines
It isn’t uncommon to hear from candidates who apply via traditional methods that they don’t get a response until months and, in some cases, years after applying for a role. Even in the best of cases, timelines are projected in terms of several months, whereas commercial hiring timelines are substantially shorter. Some of this of course could be due to clearance and investigation requirements, but is also undoubtedly attributable to legacy processes and policies.
There is also the issue of legacy and slow-moving technology and systems that the workforce has to use. Earlier this year, the Director of Operations for the Air Force’s MIT AI Accelerator program penned a viral open letter dubbed “fix our computers.”
How Can These Challenges Be Improved?
There are several efforts underway to try and improve the situation. In addition to the aforementioned CSC recommendations and a federal cyber workforce strategy, cybersecurity talent management systems have been launched by organizations such as the Department of Homeland Security (DHS). That said, despite being launched in 2014, and costing tens of millions of dollars, the system only just celebrated its first official hire with plans to ramp up beyond that to several hundred by the end of the fiscal year.
What’s the Big Deal?
Some may be asking what’s the big deal with the federal challenges of hiring and retaining cyber talent. While the private sector is absolutely critical to the economy and even national security, the criticality of the mission sets are much different. The Department of Defense (DoD) and federal civilian agencies are responsible for everything from nuclear weapons systems and military logistics to key medical and social services such as Social Security, Medicare, and Medicaid.
Failing to secure these systems will have severe ramifications for national security and social stability. Couple that with the reality that modern warfare will and does occur in the digital domain and it doesn’t look like a bright future.
We, as a nation, must figure out how to bring some of the best and brightest to the federal cybersecurity workforce. This will take a myriad of changes, such as workforce and hiring practices, compensation adjustments, geographic flexibility, partnerships with academia, and more. That said, the security of some of our most sensitive and significant systems as a nation depends on these changes occurring.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: